From c193dda360ae5deb5d9cc59c6888c77c2622a46b Mon Sep 17 00:00:00 2001 From: Matt Van Horn <455140+mvanhorn@users.noreply.github.com> Date: Thu, 18 Jun 2026 06:02:44 -0700 Subject: [PATCH] security(ci): pin third-party GitHub Actions to commit SHAs Pin every third-party `uses:` reference across all workflow files and the composite action to its full 40-character commit SHA, with the human-readable version tag preserved as a trailing comment so Renovate and Dependabot can keep them current. Mutable version tags can be repointed by an upstream maintainer or a compromised account, so pinning to immutable digests closes that supply-chain vector. The first-party OWASP/cve-lite-cli@v1 self-reference in self-scan.yml is intentionally left on its major tag. Refs #597 --- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql.yml | 8 ++++---- .github/workflows/docs-site.yml | 8 ++++---- .github/workflows/release.yml | 6 +++--- .github/workflows/self-scan.yml | 8 ++++---- action.yml | 2 +- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e3f1b549..cdad1e53 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,10 +15,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 cache: npm diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ee5df304..70db9f6f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,15 +23,15 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 diff --git a/.github/workflows/docs-site.yml b/.github/workflows/docs-site.yml index 7acaeffe..edabc542 100644 --- a/.github/workflows/docs-site.yml +++ b/.github/workflows/docs-site.yml @@ -30,10 +30,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22 cache: npm @@ -49,7 +49,7 @@ jobs: - name: Upload Pages artifact if: github.event_name == 'push' - uses: actions/upload-pages-artifact@v5 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: website/build @@ -77,4 +77,4 @@ jobs: steps: - name: Deploy id: deployment - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e0c0ac84..5f3b9f78 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,12 +15,12 @@ jobs: steps: - name: Checkout at release tag - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.event.release.tag_name }} - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 cache: npm @@ -38,7 +38,7 @@ jobs: run: npm pack - name: Attest build provenance - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: subject-path: 'cve-lite-cli-*.tgz' diff --git a/.github/workflows/self-scan.yml b/.github/workflows/self-scan.yml index b2890560..0444c157 100644 --- a/.github/workflows/self-scan.yml +++ b/.github/workflows/self-scan.yml @@ -11,10 +11,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 cache: npm @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Run CVE Lite CLI GitHub Action against this repo uses: OWASP/cve-lite-cli@v1 @@ -45,7 +45,7 @@ jobs: sarif: "true" - name: Upload SARIF to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 if: always() with: sarif_file: ${{ github.workspace }} diff --git a/action.yml b/action.yml index 236404c6..2addb78b 100644 --- a/action.yml +++ b/action.yml @@ -76,7 +76,7 @@ runs: using: "composite" steps: - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ inputs.node-version }}